(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 
International Bureau 

(43) International Publication Date 
20 February 2003 (20.02.2003) 




(10) International Publication Number 

PCT WO 03/015043 Al 



(51) International Patent Classification 7 : G07F 19/00 

(21) International Application Number: PCIYGB02/03485 

(22) International Filing Date: 29 July 2002 (29.07.2002) 

(25) Filing Language: English 

(26) Publication Language: English 

(30) Priority Data: 

01 19040.4 3 August 2001 (03.08.2001) OB 

PCT/GB01/04072 

U September 2001 (1 1.09.2001) GB 

(71) Applicant (for all designated States except US): HALT- 
FERN LIMITED (GB/GB); 2 Mountview Court, 310 
Friem Bamet I^ane, Whetstone, London N20 0YZ (GB). 

(72) Inventor; and 

(75) Inventor/Applicant (for US only): CODRON, Izidore 



[IT/ZA); No 1 Cassell Road, Sea Point, 8005, Cape Town 
(ZA). 

(74) Agent: KEMP, Paul, Geoffrey; Brookes Batchellor, 
102-108 Clcrkcnwcll Road, JjomJon ECIM 5SA (GB). 

(81) Designated States (national): AE. AG, AL, AM. AT, AU, 
AZ, BA, BB, BG t BR, BY, BZ, CA, CH, CN, CO, CR, CU, 
CZ, DE, DK. DM. DZ, EC, KK, KS, FI, GB. GD, GE, GH, 
GM, HK, HU. ID, IL, IN, IS, JP, KE, KG, KP. KR, KZ, LC, 
LK, LR, LS, LT, LU, LY MA, MD, MO, MK, MN. MW, 
MX, MZ, NO. NZ, OM, PH, PL, PT, RO. RU, SD, SK, SG, 
SI, SK. SL, TJ, TM, TN, TR, TT, TZ, UA, UG, US, UZ, 
VN. YU,ZA.ZM,ZW. 

(«4) Designated States (regional): ARIPO patent (GH, GM, 
KE. LS, MW, MZ, SD, SL, SZ, TZ, UG, ZM, ZW), 
Eurasian patent (AM, AZ. BY, KG, KZ. MD, RU, TJ, TM), 
European patent (AT, BE, BG. CH, C Y, CZ, DE, DK, EE, 
ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, Fr, SE, SK, 

[ Continued on next page J 



= (54) Title: A CREDIT CARD SECURITY SYSTEM 



5 

O 

in 

r—l 
O 

o 
O 



(57) Abstract: The specification discloses a credit card security sys- 
tem in which a security server (4) is arranged to respond to the initia- 
tion of a transaction ( 1) by instantly transmitting an SMS text message 
to the credit card holder's cellular mobile phone (7). 



u 



5 




WO 03/015043 Al fiiniiiBiiiiiinNiiiiflioniii 



TR), OAHI patent (BF, BJ t CF. CO. CI, CM, G A, GN, GQ, 
GW, MU MR, NK, SN, TO, TG). 

Published: 

— with international search report 



For two-tetter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations m appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



WO 03/015043 



- 1 - 



PCT/GB02/03485 



A Credit Card Security System. 

The present invention is concerned with a credit card security system which is 
able to reduce the fraudulent use of a card. 
5 The problem of fraudulent use of a credit card will be familiar to most and is 

becoming more serious as credit card and like transactions become more commonplace. 
A frequent problem results from a credit card or card data being stolen and used 
fraudulently for hours or even days, while the card holder is unaware of the abuse and 
so unable to alert the card issuer. 
10 In the ordinary course of implementing a credit card transaction it is commonplace 

that the transaction will be recorded Immediately to a server, if the transaction takes 
place in a conventional shop this is usually achieved by swiping the card through a 
transaction machine and the machine then addresses a remote card credit checking 
server provided by the credit card issuer and interrogates a database in the remote 
1 5 credit checking server for credit worthiness. The credit checking server will then 

respond by issuing signals to the transaction machine either approving the transaction or 
rejecting the transactioa In the case of remote transactions, it is usual that the credit 
card details are logged directly to a vendor's in house transaction system, either 
manually if the transaction is a telephone sale or directly if the sale is via the world wide 
20 web. The present invention seeks to take advantage of the existing system of 

processing credit card transactions and so improve credit card security at minimal cost 
Accordingly the present invention provides a credit card security system having: 
a credit card bearing data corresponding to a card holder account 
a security server arranged to receive said card holder account data when a credit 
25 card account transaction is initiated and responsive to receipt of said data to transmit a 
message immediately to at least one of a mobile phone account in the name of said card 
holder or an email account in the name of said cardholder. 
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According to a second aspect of the present invention there is provided a method 
of improved credit card security comprising the steps of: 

initiating a transaction by communicating data corresponding to a card holder 
account to a vendor, 

5 said vendor communicating said card holder account data to a security server, 

said security server responding to said credit card holder account data by 
addressing at least one of mobile phone account data or email account data previously . 
provided by the credit card holder, and sending at least one of an SMS message or 
email to said mobile phone or email account 

10 By immediately transmitting a message to the legitimate card holder's mobile 

phone and/or email account the legitimate card holder is immediately (often in a period 
of less than 30 seconds and usually less than 300 seconds) warned that use is being 
made of his card. By conventional means the credit card user may be unaware of the 
abuse of his card until he receives the monthly card balance probably days or weeks 

15 later, even then the abuse may not be instantly obvious. Thus the present invention 
gives a clear and immediate warning if the credit card account Is being used fraudulently 
and this will give the legitimate card holder a very early opportunity to alert the credit 
card provider to the fraudulent use so that steps can be taken to prevent further abuse. 
The mobile phone account data and/or email account data may be presented on 

20 the card in which case it is preferable that the data is encrypted and in machine readable 
form, such as the conventional magnetic strip or electronic memory. However, it is 
preferred that the credit card provider pre-loads the mobile phone and/or email account 
data onto the security server. The credit checking server or a server in close 
communication with the credit checking server may conveniently serve as the credit 

25 checking server. In this way the mobile phone data and email account data is not 

available to a thief and the mobile phone and email data can be readily managed by the 
credit card provider in cooperation with the credit checking service provider. In this 
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preferred embodiment of the Invention the security server has means to receive said 
card holder account data when a credit card account transaction is initiated, memory 
means which holds card holder account data, and memory means holding at least one of 
mobile phone account data or email account data. The security server is responsive to 
5 receipt of said card holder account data to recover at least one of the mobile phone 
account data or email account data corresponding to said card holder account data 
received from memory and has transmission means to transmit a message immediately 
to at least one of the mobile phone account or email account corresponding to said card 
holder. 

10 It is preferred that the message Is a text message. 

The security system and method may be further enhanced by enabling the card 
holder's mobile phone to respond to the message with a default stop or proceed 
message to stop or expedite the transaction. A stop message might then be 
retransmitted from the security server to the vendor so that if the transaction is fraudulent 

1 5 the transaction can be stopped by the vendor. Preferably the mobile phone would be 
adapted to present the message in a way which allows the credit card holder to respond 
to the message from a soft key, selecting proceed or stop, alternatively one or two of the 
phone keys may be used to transmit a default, proceed or stop message to the security 
server. The security system may be set to allow a transaction to proceed if no response 

20 is received from the mobile phone within a predetermined period, for example, ninety 
seconds. This will allow transactions to proceed where the mobile phone is out of 
service for any reason. 

Embodiments of a credit card security system constructed and operated 
according to the system and method of the present invention will now be describe, by 
25 way of example only, with reference to the accompanying illustrative drawings, in which: 
Figure 1 1s a first embodiment of the system, and 
Figure 2 is a second embodiment of the invention. 
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Figure 1 shows a credit card transaction being Implemented using the security 
system. At 1 data Indicative of the credit card account is input to a vendor's transaction 
computer/server 2. The data input may be via a card reader, by manual input, direct 
input via internet access or by any other conventional means. This data is processed in 
5 the usual way and communicated via normal telecommunication 3 to security server 
provided in this example by a card credit checking server 4 in two way communication 
with the vendors server 2. The card credit checking server 4 includes a register of email, 
addresses and cellular mobile phone numbers which correspond to each credit card 
account Upon receipt of the credit card account data the card credit checking server 

1 0 addresses the corresponding mobile phone account number and/or email address and 
forwards a predetermined message to an internet server 5 and/or a cellular network 
server 6 and hence to the credit card holder's mobile phone 7 or computer 8. The 
message will preferably be a text message and may in addition to an indication that a 
transaction has been Implemented include further information data such as the location, 

1 5 time and value of the transaction. Particularly if this further information is delivered to a 
PC or other handheld type device this will allow credit card holders to maintain nearly 
instant monitoring of their credit card account balance in addition to enhancing the 
security of the account 

Although this specification refers particularly to credit cards, it should be 

20 appreciated that the term credit card may also include debit cards and other forms of 
payment card, including; smart cards, stored value cards and any other microprocessor 
payment system embedded in hand held devices like mobile phones or personal digital 
assistants (PDA's). These chip cards will have a processor, ROM and RAM, an 
operating system and even co-processor power for handling Crypto Algorithms in real 

25 time allowing the card or handheld device to trust or distrust a terminal on or off-line. 
Such a terminal will have the ability to intelligently interrogate a payment card or hand 
held device micro-processor payment system and locally satisfy itself that the card is 
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trustworthy. It may also have application where card like devices are used in smart 
security systems as a key to provide access to restricted areas, in such Instances the 
unauthorised use' of an authorised key would be alerted to the authorised user. 

Figure 2 diagrammatically illustrates a second embodiment of the invention. The 
5 components of the system common to the first embodiment are similarly numbered and 
only the differences between the two embodiments will be described. When the security 
server 6 generates a message to the mobile phone 7a the message includes code to 
generate one of two response messages from the phone. Thus when a message such 
as that illustrated on the phone display Is received it includes that the message is a 

10 "credit card transaction alert* here abbreviated to "CC TRNS ALT the date and time and 
the location "@XXXXXXX W there is additionally a question "PROCEED?* 9L The 
message establishes a softkey 9 option "YES* to respond with a proceed message and 
option "NO" to respond with a stop message. In the figure, "NO" is selected which 
message 1 0 is transmitted to the cellular network server 6. The message from the 

1 5 phone will include code to identify the phone. This is then retransmitted to the card 
credit checking and security server 4 which matches the phone to the transaction in 
issue by correlation with a register of mobile phone account data. Thus a stop message 
reaches the vendor's transaction server 2 where steps may be implemented in a 
conventional manner to stop the transaction. The security server 4 will ordinarily wait for 

20 a period, for example ninety seconds, before emitting a proceed message based on 

conventional card credit criteria. Thus the proceed message may expedite a transaction. 
Conversely a stop message from the mobile phone or any stop transaction message 
based on other criteria will take priority. 
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Claims 

1 . A credit card security system having: 

a credit card bearing data corresponding to a card holder account 
5 a security server arranged to receive said card holder data when a credit 

transaction is requested and responsive to receipt of said data to transmit a message 
immediately to at least one of a mobile phone account corresponding to said card holder 
or an email account in the name of said cardholder. 

10 2. A credit card security system according to claim 1 wherein the security server 
has; 

means to receive said card holder account data when a credit card account 
transaction is initiated, and 

memory means holding at Jeast one of mobile phone account data or email 
15 account data addressed according to the card holder account data, 

said security server being responsive to receipt of said card holder account data 
to recover at least one of the mobile phone account data or email account data 
corresponding to said card holder account data received and having 

transmission means to transmit a message immediately to at least one of the 
20 mobile phone account or email account corresponding to said card holder. 

3. A credit card security system according to daim 1 or claim 2 wherein the 
security server is provided by the credit card issuer. 

25 
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4, A credit card security system according to any one of the preceding claims 
wherein the security server is downstream of a vendor's transaction server to receive the 
account data from the vendor's transaction server. 

5 5. A credit card security system according to claim 4 wherein the security server is 
provided by a card credit checking server. 

6. A credit card security system according to claim 1 wherein the credit card 
holder's mobile phone account number or email address are encoded on the credit card 

10 and the data is recoverable from the card when the card is swiped in a transaction 
machine by a vendor to be used by the security server in communication with the 
transaction machine to transmit the message. 

7. A credit card security system according to any one of the preceding claims 
15 wherein the security server has means to receive a predetermined stop message from 

the mobile phone encoded to indicate that the transaction should be stopped. 

8. A credit card security system according to claim 7 wherein the security server 
has means adapted to respond to receipt of a predetermined stop message to transmit a 

20 message to the vendor to stop the transaction. 

9. A credit card security system according to claim 7 or 8 wherein the security 
server has means to receive a predetermined message from the mobile phone to 
indicate that the transaction should proceed, and means adapted to respond to receipt of 

25 the proceed message to send a proceed message to the vendor. 1 
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10. A method for improving credit card security when a card transaction is initiated 
comprising the steps of: 

a card holder communicating data corresponding to a card holder account to a 

vendor, 

5 said vendor communicating said data to a security server, 

said security server responding to said credit card holder account data by 
addressing at least one of mobile phone account data or email account data 
corresponding to said card holder account and previously provided by the credit card 
holder, and sending one of an SMS message or email to said mobile phone or email 
10 account 

11. A method according to claim 10 comprising the step of the credit card issuer 
providing the security server. 

15 12. A method according to either one of claims 10 or 11 wherein said security 
server responding to a predetermined stop message from the account holder's mobile 
phone by transmitting a stop message to the vendor to stop the transaction. 

13. A method according to any one of claims 10 to 12 wherein the security server 
20 mobile phone is adapted to send a proceed message to the security server in response 

to the transaction message, said server responding by transmitting a proceed message 
to the vendor. 

14. A method according to claim 10 wherein the mobile phone data or email data is 
25 encrypted on the credit card and comprising the step of the data being read from the 

credit card when the credit card is swiped in a transaction machine provided by a 
vendor, 
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said transaction machine communicating said mobile phone or email data to a 

server, 

said server communicating an SMS message or email to the address of the credit card 
holder. 

5 

15. A server adapted to receive data identifying a credit card account, said server 
having a register preloaded with a mobile phone account number and/or email address 
corresponding to the holder of the credit card account, said server being adapted to 
respond to data indicating that a transaction is to be implemented using said credit card 
10 account by recovering a mobile phone and/or email address corresponding to the credit 
card account and said server being provided with communication means to issue a 
message to said mobile phone account or email address. 
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